0

My pain point . I have an Ec2 with Postgres installed(which is in private subnet), everything is working fine. All member can connect to DB only when they are in the DEV cluster (I mean same CIDR, security group is designed to get traffic only from that CIDR). The problem here is I wanted to get connection locally. I cannot alter the security group. Intially I planned to create an public Network load balancer and make the ec2 as target with port 5432 and installed apache2 for health check (200 success as health). But still unable to connect that Ec2 machine. Can anyone advice the best practise.

As per our policy only HTTPS port can be opened

Jithin Kumar S
  • 701
  • 2
  • 9
  • 20

1 Answers1

2

If you are limited to only enabling 443 open then you would need to update your Postgres instance to be served over that port, although the recommended port for both TLS and plain text connections to Postgres is 5432.

For a DB instance you would use a Network Load Balancer, the inbound traffic is determined by the inbound security group rules of the instances.

You should avoid installing apache on your postgres servers to allow load balancer health checks to pass as its not related to the health check of the postgres service. Instead a TCP health check on the port of your Postgres service should be checked.

I would suggest discussing with your peers as to why Postgres must run on port 443, as it is not best practice and could lead to confusion. Normally these kinds of limitations are limited for web traffic, and for other services in the future you might find you're limited with available ports.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • Thanks Chris for the response. but let assume a situation where our dev servers are also in cloud then for remote debugging surely we need to connect to the DB and do. But our problem is our audit team will never allow as 5432 -->0.0.0.0/0 nor with office vpn . So how would we Make a restriction in Security group and have people connects to it from locally. – Jithin Kumar S Jul 22 '20 at 17:29
  • If you're not able to have a VPN then you're limited to locking down the security group to your on-premise IP addresses. Is there any reason why you cannot have a VPN? :) – Chris Williams Jul 22 '20 at 17:31